Product Readmes
Abstract
After you successfully upgrade your IBM Business Process Manager (BPM) V8.5.7 environment, some additional configuration steps might be required. Although most actions are optional, you might have to perform them to ensure applications continue working as expected.
Content
Tab navigation
- Depending on the version of IBM BPM version you are upgrading from, you must also look at earlier post-upgrade tasks:
- Post-installation tasks for IBM Business Process Manager V8.5.6 CF02 and V8.5.6 CF01
- Post-upgrade tasks for IBM Business Process Manager V8.5.7
- Post-upgrade tasks for IBM Business Process Manager V8.5.7 CF2016.09 - archived. See below for the related post-upgrade tasks.
- Post-upgrade tasks for IBM Business Process Manager V8.5.7 CF2016.06 - archived. See below for the related post-upgrade tasks.
For example, if you are upgrading from IBM BPM V8.5.6 CF02, also look at the Post-upgrade tasks for IBM Business Process Manager V8.5.7 and the post-upgrade instructions for IBM BPM V8.5.7 CF 2016.06 and IBM BPM V8.5.7 CF 2016.09 (both in this document).
- After IBM Process Center is successfully upgraded, update your process applications to the latest IBM BPM toolkit levels so you can integrate the latest improvements and defect fixes associate with the toolkit objects. After you update to the latest IBM BPM toolkit levels, you might notice small behavior changes in your process application, such as to the user interfaces, which you might need to modify.
- Installing cumulative fixes can modify the existing system toolkits for the associated version. If your applications are associated with the latest system toolkits, they will automatically include the changes.
The following table includes new settings and actions related to interim fixes that are included in IBM BPM V8.5.7 CF2016.12.
Interim fix (APAR) | Description | Task to enable the function |
Task indexer fails with a NullPointerException when it can't find task participant information in the IBM BPM database |
When the IBM BPM Task indexer can't find a task's participant information in the IBM BPM database, it fails with a NullPointerException reported in an FFDC. |
Rebuild the Lucene index by following the instructions in Updating the Process Portal index. Important: If you have several nodes, start only one node with indexing enabled and wait for this node to completely build its index before starting another node and rebuilding that node's index. All the other nodes must remain stopped. To check if a node has started building its index, search the logs for the following message: "The BPM process search full re-index job was successfully started." To check if the index for a node is completely built, search in the logs for the following message: "The BPM process search full re-index job was successfully completed." For more information about investigating and solving a Process Portal index that is out of sync, see How to investigate and solve a Portal index out of sync situation? |
The following table includes new settings and actions related to interim fixes that are included in IBM BPM V8.5.7 CF2016.09.
Interim fix (APAR) | Description | Task to enable the function |
Only admin users can access the /v1/epv/<epv_id> REST API |
Only members of the tw_admin group can access the /rest/bpm/wle/v1/epv/{epv_id}[?snapshotid={snapshotId}][&branchid={branchId}] REST API. |
To disable the authorization check, add the following setting to all the 100Custom.xml files for Process Center and IBM Process Server in your deployment environment <server> by following this procedure: 1. Stop the servers of your IBM BPM deployment environment. 2. Start the scripting client in disconnected mode as described in updateBPMConfig command. 3. Run the following commands: wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server' ] ) wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server/enforce-authorization-check-for-ps-model-data', '-xNodeValue', 'false' ] ) wsadmin> AdminConfig.save() 4. Restart the servers of your IBM BPM environment. For more information, see Modifying runtime server configuration properties and Changing server properties in 100Custom.xml. |
Authorization on complete a finish task REST APIs does not match documented behavior |
The documentation states that the potential task owner, task collaborator, task team manager authorization roles cannot complete or finish a task. However, the implementation deviates from this specification. |
To re-create the earlier authorization behavior, add the following setting to all the 100Custom.xml files for Process Center and Process Server in your deployment environment <server> by following this procedure: 1. Stop the servers of your IBM BPM deployment environment. 2. Start the scripting client in disconnected mode as described in updateBPMConfig command. 3. Run the following commands: wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server' ] ) wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server/portal' ] ) wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server/portal/authorization-level-for-task-complete-and-finish', '-xNodeValue', '8560' ] ) wsadmin> AdminConfig.save() 4. Restart the servers of your IBM BPM environment. For more information, see Modifying runtime server configuration properties and Changing server properties in 100Custom.xml. |
Origin header allowlist needed for cross-site request forgery (CSRF) protection |
IBM Business Process Manager (BPM) supports cross-site request forgery (CSRF) protection by using a configurable allowlist of domains for the HTTP REFERER header. |
The browser should send only XML HTTP (Ajax) requests to the IBM BPM server while displaying a user interface that is supposed to interact with IBM BPM. Looking at the Referer and Origin headers, a server can detect potential cross-site request forgery (CSRF) attacks in which the browser of an authenticated user is tricked into sending requests to a different site. You enable Origin header allowlisting by setting a deployment environment (DE) level custom property called ProcessServer.CsrfProtectionOriginallowlist to a comma-separated list of acceptable host:port combinations. When IBM BPM is configured, the domains that contain user interfaces to cause a XML HTTP request to be sent to IBM BPM can be added to the allowlist as the set of expected client origins. All other requests can be blocked. Example (assuming the deployment environment name is De1) AdminTask.setBPMProperty(['-de', 'De1', '-name', 'ProcessServer.CsrfProtectionOriginallowlist', '-value', 'https://bpm1.internal.customer.org:9443, https://portal.internal.customer.org']) If the Referer header and Origin header allowlists are both configured, the Referer allowlist is checked first. The Referer allowlist is parsed and only host names are extracted, whereas the full configured string (including protocol, host, and port) is compared to the current Origin HTTP request header to allow access to IBM BPM resources. This finer-grained protection is possible because Origin does not contain a full URL, nor the path or query string parts of a URL. As with the Referer allowlist, an empty or missing Origin header is acceptable. Important: Keep both allowlists consistent because they serve the same purpose. For more information, see Security-hardening properties, Modifying runtime server configuration properties, and Changing server properties in 100Custom.xml. |
You see an active process instance without active tasks, activities, or events |
When you run a process instance that has a conditional activity and that conditional activity has at least one boundary event, the instance stays in the active state although all tasks and required ad hoc activities are completed and no intermediate events are waiting. |
To change the behavior of the business process definition (BPD) engine to check the activity condition only when the activity is created, add the following setting to all the 100Custom.xml files for Process Center and Process Server in your deployment environment <server> by following this procedure: 1. Stop the servers of your IBM BPM deployment environment. 2. Start the scripting client in disconnected mode as described in updateBPMConfig command. 3. Run the following commands: wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server' ] ) wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server/bpd-engine' ] ) wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server/bpd-engine/evaluate-condition-only-on-activity-creation', '-xNodeValue', 'true' ] ) wsadmin> AdminConfig.save() 4. Restart the servers of your IBM BPM environment. For more information, see Modifying runtime server configuration properties and Changing server properties in 100Custom.xml. |
The following table includes new settings and actions related to interim fixes that are included in IBM BPM V8.5.7 CF2016.06.
Interim fix (APAR) | Description | Task to enable the function |
Long run times occur when authorization code frequently looks up group membership |
In the AuthorizationAPICore class, the listCurrentUserGroupMemberships method is used, which causes long run times for users who are in many groups. |
If you experience long run times and have many users who belong to many (thousands of) groups, add the following setting to all 100Custom.xml files for Process Center and Process Server in your deployment environment <common> by following this procedure: 1. Stop the servers of your IBM BPM deployment environment. 2. Start the scripting client in disconnected mode as described in updateBPMConfig command. 3. Run the following commands: wsadmin> AdminTask.updateBPMConfig( [ '-create', '/common' ] ) wsadmin> AdminTask.updateBPMConfig( [ '-create', '/common/security' ] ) wsadmin> AdminTask.updateBPMConfig( [ '-create', '/common/security/optimize-group-membership-lookups', '-xNodeValue', 'true' ] ) wsadmin> AdminConfig.save() 4. Restart the servers of your IBM BPM environment. For more information, see Modifying runtime server configuration properties and Changing server properties in 100Custom.xml. |
IBM Process Portal users can upload executable files to the IBM BPM server |
Because IBM Process Portal users can upload any files, including executable (.exe) files, to the IBM BPM server by attaching them to stream comments, other Process Portal users can download and run them. |
To disable or allow file types or extensions from being uploaded to or from Process Portal stream comments, follow these instructions. blocklisting file extensions To disable certain file types or extensions from being uploaded as file attachments, blocklist file extensions by defining a new Mashups_ConfigService property com.ibm.bpm.portal.stream.attachments.extensions.blocklist with a comma-separated list of file name extensions (without '.'), for example, exe,scr,dll,com,bin. allowlisting file extensions To allow only certain file types or extensions to be uploaded as file attachments, allowlist file extensions by defining a new Mashups_ConfigService custom property com.ibm.bpm.portal.stream.attachments.extensions.allowlist with a comma-separated list of file name extensions (without '.'), for example, pdf,txt,csv. For information about configuring mashups, see Configuring custom properties for Process Portal by using the resource provider for mashups. You can also limit the file size for attachments uploaded from the Process Portal stream comments by adding the following setting to all the 100Custom.xml files for Process Center or Process Server in your deployment environment. The following example shows the limit as 1 MB. Notice that file size must be specified in bytes (i.e. 1048576 bytes = 1MB): <server> Follow this procedure: 1. Stop the servers of your IBM BPM deployment environment. 2. Start the scripting client in disconnected mode as described in updateBPMConfig command. 3. Run the following commands: wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server' ] ) wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server/document-attachment-max-file-size-upload', '-xNodeValue', '1048576' ] ) wsadmin> AdminConfig.save() 4. Restart the servers of your IBM BPM environment. For more information, see Modifying runtime server configuration properties and Changing server properties in 100Custom.xml. |
Cannot disable user and group search (GET method) in IBM Business Space |
When you use IBM Business Space, and locked down mode is enabled, you can search for and discover all users and groups defined in the user registry, even if you do not have the required privileges. |
To restrict user and group search in Business Space to only administrators, complete the following steps:
1. In the WebSphere Application Server administrative console, go to Resources > Resource Environment > Resource environment providers > Mashups_ConfigService > Custom properties. 2. Create a new String type property named com.ibm.mashups.usersearch.blocked. 3. Set the value to true. When the value of the com.ibm.mashups.usersearch.blocked property is set to true, only administrators can search users or groups in Business Space. 4. Restart the stand-alone server or network deployment environment. |
JR55299
After you upgrade to IBM BPM V8.5.6 assets, REST APIs require admin rights to run on a process server |
On Process Center, GET /rest/bpm/wle/v1/assets returns assets that the user has "read" Although on Process Server, this rest command can be executed Before V8.5.6, the API only required an authenticated user for it to be used. |
Add the following setting to all the 100Custom.xml files for Process Server in your deployment environment <server> by following this procedure: 1. Stop the servers of your IBM BPM deployment environment. 2. Start the scripting client in disconnected mode as described in updateBPMConfig command. 3. Run the following commands: wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server' ] ) wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server/enforce-authorization-check-for-ps-model-data', '-xNodeValue', 'false' ] ) wsadmin> AdminConfig.save() 4. Restart the servers of your IBM BPM environment. For more information, see Modifying runtime server configuration properties and Changing server properties in 100Custom.xml. |
You receive the CWLLG1087 warning many times in the SystemOut.log file when you use group filters to hide LDAP groups. |
If you defined a group search filter for an LDAP directory in the Federated Repositories configuration, you might see many occurrences of the CWLLG1087 warning message. |
To disable the printing of these warnings to the log, add the following setting to all the 100Custom.xml files for Process Center and Process Server in your deployment environment: true: Warnings will be printed to the log. false: Warnings will not be printed to the log. By default warnings are printed to the log. <common> Follow this procedure: 1. Stop the servers of your IBM BPM deployment environment. 2. Start the scripting client in disconnected mode as described in updateBPMConfig command. 3. Run the following commands: wsadmin> AdminTask.updateBPMConfig( [ '-create', '/common' ] ) wsadmin> AdminTask.updateBPMConfig( [ '-create', '/common/security' ] ) wsadmin> AdminTask.updateBPMConfig( [ '-create', '/common/security/warn-of-membership-referring-to-missing-group', '-xNodeValue', 'false' ] ) wsadmin> AdminConfig.save() 4. Restart the servers of your IBM BPM environment. For more information, see Modifying runtime server configuration properties and Changing server properties in 100Custom.xml. |
You receive unexpected validation errors for decimal business object types. |
You receive unexpected validation errors for decimal business object types. When you define a business objects of type Decimal in IBM Process Designer, you can define various validation options that might not behave as you expect. |
This fix introduces configuration options to control the behavior of the business object validation for Decimal variables. See Variable types in Process Designer and Defining validation behavior for business objects. |
Insufficient authorization models for selected REST APIs (GET process model, GET process applications, and GET environment variables)
|
The REST APIs (GET process model, GET process applications and GET environment variables APIs) have been associated with authorization defined for IBM BPM repository access while the process is being authored. Because these APIs are also used to access information when the process runs, runtime authorization semantics are also needed. However, this authorization aspect is missing. |
To restrict runtime access to the GET process model REST API, specify the appropriate user groups for the action policy ACTION_VIEW_PROCESS_MODEL. Note that the default setting gives access to any authenticated user. To remove runtime access restrictions to the GET environment variables REST API, specify additional user groups for the action policy ACTION_VIEW_PROCESS_APP_ENV_VARIABLE. Note that the default setting gives runtime access to members of the "tw_admins" group only. |
SECURITY APAR - CVE-2016-0349 - Incorrect authorization for update of process instance variables |
Because the action of updating process instance variables is not correctly authorized, users without required permission can update process instance variables in IBM BPM. |
If no Portal Admin Teams are defined, you can authorize additional users by assigning one or more groups to the Action Policy ACTION_UPDATE_INSTANCE_VARIABLE. If a Portal Admin Team is defined, the action policy is ignored and you must add the users to the Portal Admin Team to authorize them. By default, the policy is associated with the group tw_admins. If you must change this group, see Configuration properties for Process Portal action policies for instructions. |
In IBM Process Portal, REST request timeouts cause some actions to fail. |
In IBM Process Portal, you might receive an error that often -Clicking the Show More button on the task list in the Work tab |
To set the REST request timeout, add the new Mashups_ ConfigService property com.ibm.bpm.social.restRequestTimeoutSeconds and set the value to an integer representing the number of seconds, such as 120 (the default timeout is 60 seconds). For information about mashup configuration, see Configuring custom properties for Process Portal by using the resource provider for mashups. |
Large memory consumption by instrumentation
|
In high-load scenarios, instrumentation can use large amount of
|
To disable IBM BPM instrumentation or the collection of IBM BPM runtime statistics for Process Center, Process Server, or Performance Data Warehouse, add the following settings to all the 100Custom.xml files in your deployment environment: <server> By default, these are enabled. When set to false it will disable the associated product feature. Follow this procedure: 1. Stop the servers of your IBM BPM deployment environment. 2. Start the scripting client in disconnected mode as described in updateBPMConfig command. 3. Run the following commands: wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server' ] ) wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server/enable-instrumentation', '-xNodeValue', 'false' ] ) wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server/collect-runtime-stats', '-xNodeValue', 'false' ] ) wsadmin> AdminConfig.save() To disable instrumentation or collection of runtime statistics for Performance Data Warehouse server, add the '-xServerType', 'PDW' parameters. 4. Restart the servers of your IBM BPM environment. For more information, see Modifying runtime server configuration properties and Changing server properties in 100Custom.xml. |
JR55884 |
When you use an SCA application with a one-way interface HTTP import binding, the HTTP binding still considers the one-way |
To enable an exception to be thrown for error status codes on a one-way HTTP import, add the com.ibm.ws.httpbinding.oneway.throwExceptionOnErrorCodes JVM property to all application cluster servers and set it to "true". After you add this property, you will see an exception when the HTTP status code is not within 200 to 300. |
JR55921 Responsive Portal cannot retrieve user memberships for a selected list of groups |
Responsive Portal relies on the /user REST API call to retrieve the group memberships for a user. Including all group membership information in response to the user details (/user) REST API can lead to long run times for users belonging to many (thousands of) groups. To omit group membership information for a user, you can pass the parts=none parameter with the REST request. However, there is no way to get group membership information for a selected list of group names. |
If you want Responsive and Heritage Portal to use the new parameter, add a new Mashups_ConfigService property and set it to true: com.ibm.bpm.portal.excludeMembershipInfoFromUserInfoRestApis For information about mashup configuration, see Configuring custom properties for Process Portal by using the resource provider for mashups. |
Product Synonym
BPM
Was this topic helpful?
Document Information
Modified date:
05 July 2018
UID
swg27049143